463296 – [LTC 6.0 FEAT] 201317:File Capabilities - Userspace

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 463296 - [LTC 6.0 FEAT] 201317:File Capabilities - Userspace

Summary: [LTC 6.0 FEAT] 201317:File Capabilities - Userspace

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	distribution
Sub Component:
Version:	6.0
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	6.0
Assignee:	Scott Haines
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:	463297
Blocks:	356741 554559
TreeView+	depends on / blocked

Reported:	2008-09-22 20:40 UTC by IBM Bug Proxy
Modified:	2015-01-22 15:29 UTC (History)
CC List:	9 users (show)
Fixed In Version:	libcap-2.16-5.el6
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-10 20:13:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description IBM Bug Proxy 2008-09-22 20:40:36 UTC

=Comment: #0=================================================
Emily J. Ratliff <emilyr.com> - 2008-09-16 18:26 EDT
1. Feature Overview:
Feature Id:	[201317]
a. Name of Feature:	File Capabilities - Userspace
b. Feature Description
File capabilities allow an administrator to mark files with POSIX capabilities. When a process is
instantiated from binary, it receives the capabilities with which the on-disk file is marked.
Binaries that would normally require setuid permission can be given only the capabilities required.
The classic example is the ping program. Normally it is setuid because it requires CAP_NET_RAW. With
file capabilities, the binary can be marked on disk as requiring CAP_NET_RAW and no longer needs to
be made setuid. See
http://www.ibm.com/developerworks/library/l-posixcap.html?ca=dgr-lnxw01POSIX-capabilities for more
details. The libcap-2 packages is required for userspace support of the kernel feature.

Additional Comments:	Setting status to green.

2. Feature Details:
Sponsor:	LTC Security
Architectures:
x86
x86_64
ppc64
s390 native
s390 compat
s390x

Arch Specificity: Purely Common Code
Affects Toolchain: Yes
Affects Core Kernel: Yes
Delivery Mechanism: Direct from community
Category:	Security
Request Type:	Package - Feature from Upstream
d. Upstream Acceptance:	Accepted
Sponsor Priority	1
f. Severity: High
IBM Confidential:	no
Code Contribution:	IBM code
g. Component Version Target:	>= libcap-2.04. See
http://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2/

3. Business Case
Finer grained control over executable capabilities reduces the danger binaries as they no longer
need to be made setuid and only required capabilities can be given to the process. This will
increase customer security and give Linux a competitive advantage over Windows and Solaris.

4. Primary contact at Red Hat: 
John Jarvis
jjarvis

5. Primary contacts at Partner:
Project Management Contact:
Mounir Bsaibes, bsaibes.com, 512-838-1301

Technical contact(s):
George Wilson, gcwilson.com
Serge Hallyn, sergeh.com

IBM Manager:
Bryan Jacobson, bjacobson.com

Comment 1 Bill Nottingham 2008-10-01 21:22:18 UTC

This version of libcap is already in Fedora 10, so this should not be an issue. Note that further integration and actually using fs capabilities in shipped packages is unfinished work.

Comment 2 Steve Grubb 2008-10-02 13:01:27 UTC

Please note that more than just libcap-2 is needed. We need rpm to support capabilities so that it can be decided in the spec file what they should be. We also need user space tools updated to consider files with security extended attributes to be privileged. We have a tracker bug #449984 that we have been working over the last few months. There is a lot of resistance from the community for this feature as noted in bug #455713 where we tried to get setuid removed from ping.

Comment 3 Panu Matilainen 2008-10-30 18:34:44 UTC

For the record, support for capabilities was recently added to rpm upstream. It's not in any released version yet but that can be expected to change in time for RHEL 6.

Comment 4 IBM Bug Proxy 2009-03-02 23:00:27 UTC

As noted in comment #5, userspace file capabilties support is enabled in F10.

Comment 5 releng-rhel@redhat.com 2009-11-06 19:44:49 UTC

Fixed in 'libcap-2.16-5.el6', included in compose 'RHEL6.0-20091106.0'.
Moving to ON_QA.

Comment 7 IBM Bug Proxy 2010-05-20 13:21:31 UTC

------- Comment From sergeh.com 2010-05-20 09:12 EDT-------
After 'yum install libcap-devel', the ltp filecaps testcase compile, runs, and passes.

Comment 9 Alexander Todorov 2010-08-21 11:48:34 UTC

[root@ibm-x3950m2-02 6]# pwd
/mnt/redhat/rel-eng/RHEL6.0-20100818.0/6

[root@ibm-x3950m2-02 6]# find -name "libcap-2*"
./WebServer/x86_64/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./WebServer/x86_64/os/Packages/libcap-2.16-5.2.el6.x86_64.rpm
./WebServer/source/SRPMS/libcap-2.16-5.2.el6.src.rpm
./Server/i386/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./Server/source/SRPMS/libcap-2.16-5.2.el6.src.rpm
./Server/s390x/os/Packages/libcap-2.16-5.2.el6.s390.rpm
./Server/s390x/os/Packages/libcap-2.16-5.2.el6.s390x.rpm
./Server/ppc64/os/Packages/libcap-2.16-5.2.el6.ppc.rpm
./Server/ppc64/os/Packages/libcap-2.16-5.2.el6.ppc64.rpm
./Server/x86_64/os/Packages/libcap-2.16-5.2.el6.x86_64.rpm
./Server/x86_64/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./Client/i386/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./Client/source/SRPMS/libcap-2.16-5.2.el6.src.rpm
./Client/x86_64/os/Packages/libcap-2.16-5.2.el6.x86_64.rpm
./Client/x86_64/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./ComputeNode/x86_64/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./ComputeNode/x86_64/os/Packages/libcap-2.16-5.2.el6.x86_64.rpm
./ComputeNode/source/SRPMS/libcap-2.16-5.2.el6.src.rpm
./Workstation/i386/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./Workstation/source/SRPMS/libcap-2.16-5.2.el6.src.rpm
./Workstation/x86_64/os/Packages/libcap-2.16-5.2.el6.x86_64.rpm
./Workstation/x86_64/os/Packages/libcap-2.16-5.2.el6.i686.rpm
./source/SRPMS/libcap-2.16-5.2.el6.src.rpm


see also comment #7

Comment 10 releng-rhel@redhat.com 2010-11-10 20:13:06 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.